command_guard
Regex-based shell command filter applied before execution.
What it mitigates
- Destructive commands (
rm -rf /) - Privilege escalation (
sudo) - Secret-file scraping (
cat .env, similar patterns)
Recommended defaults
| Profile | mode |
|---|---|
local | enforce strict deny patterns |
standard | enforce baseline deny patterns |
unbounded | observe or narrowed deny set |
Minimal config
moduleConfig:
command_guard:
denyPatterns:
- "(^|\\s)sudo\\s"
- "rm\\s+-rf\\s+/"
- "(^|\\s)(cat|less|more|head|tail|grep|awk|sed)\\s+[^\\n]*\\.env(?:\\.|\\s|$)"Pattern design guidance
- Anchor patterns to reduce false positives.
- Add tests for every new pattern before rollout.
- Keep a changelog of allowed exceptions.